Zero Trust
zero_trust
Access
zero_trust.access
Domain types
Enforces a device posture rule has run successfully
Matches an Access group.
Matches any valid Access Service Token
Enforce different MFA options
Matches an Azure group. Requires an Azure identity provider.
Matches any valid client certificate.
Matches a specific country
Match an entire email domain.
Matches an email address from a list.
Matches a specific email.
Matches everyone.
Create Allow or Block policies which evaluate the user based on custom criteria.
Matches a Github organization. Requires a Github identity provider.
Matches an Access group.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
Matches an IP address from a list.
Matches an IP address block.
Matches an Okta group. Requires an Okta identity provider.
Matches a SAML group. Requires a SAML identity provider.
Matches a specific Access Service Token
zero_trust.access.applications
Methods
Adds a new application to Access.
Deletes an application from Access.
Fetches information about an Access application.
Lists all Access applications in an account or zone.
Revokes all tokens issued for an application.
Updates an Access application.
Domain types
The identity providers selected for application.
Identifier
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The application type.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The format of the name identifier sent to the SaaS application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Transformations and filters applied to resources before they are provisioned in the remote SCIM service.
A domain that Access will secure.
zero_trust.access.applications.cas
Methods
Generates a new short-lived certificate CA and public key.
Deletes a short-lived certificate CA.
Fetches a short-lived certificate CA and its public key.
Lists short-lived certificate CAs and their public keys.
Domain types
zero_trust.access.applications.policies
Methods
Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array.
Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application.
Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application.
Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
zero_trust.access.applications.policy_tests
Methods
Starts an Access policy test.
Fetches the current status of a given Access policy test.
zero_trust.access.applications.policy_tests.users
Methods
Fetches a single page of user results from an Access policy test.
zero_trust.access.applications.user_policy_checks
Methods
Tests if a specific user has permission to access an application.
Domain types
zero_trust.access.bookmarks
Methods
Create a new Bookmark application.
Deletes a Bookmark application.
Fetches a single Bookmark application.
Lists Bookmark applications.
Updates a configured Bookmark application.
Domain types
zero_trust.access.certificates
Methods
Adds a new mTLS root certificate to Access.
Deletes an mTLS certificate.
Fetches a single mTLS certificate.
Lists all mTLS root certificates.
Updates a configured mTLS certificate.
Domain types
A fully-qualified domain name (FQDN).
zero_trust.access.certificates.settings
Methods
List all mTLS hostname settings for this account or zone.
Updates an mTLS certificate's hostname settings.
Domain types
zero_trust.access.custom_pages
Methods
Create a custom page
Delete a custom page
Fetches a custom page and also returns its HTML.
List custom pages
Update a custom page
Domain types
zero_trust.access.gateway_ca
Methods
Adds a new SSH Certificate Authority (CA).
Deletes an SSH Certificate Authority.
Lists SSH Certificate Authorities (CA).
zero_trust.access.groups
Methods
Creates a new Access group.
Deletes an Access group.
Fetches a single Access group.
Lists all Access groups.
Updates a configured Access group.
Domain types
zero_trust.access.infrastructure
zero_trust.access.infrastructure.targets
Methods
Removes one or more targets.
Adds one or more targets.
Create new target
Delete target
Get target
Lists and sorts an account’s targets. Filters are optional and are ANDed together.
Update target
zero_trust.access.keys
Methods
Gets the Access key rotation settings for an account.
Perfoms a key rotation for an account.
Updates the Access key rotation settings for an account.
zero_trust.access.logs
zero_trust.access.logs.access_requests
Methods
Gets a list of Access authentication audit logs for an account.
Domain types
zero_trust.access.policies
Methods
Creates a new Access reusable policy.
Deletes an Access reusable policy.
Fetches a single Access reusable policy.
Lists Access reusable policies.
Updates a Access reusable policy.
Domain types
A group of email addresses that can approve a temporary authentication request.
zero_trust.access.service_tokens
Methods
Generates a new service token. Note: This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token.
Deletes a service token.
Fetches a single service token.
Lists all service tokens.
Refreshes the expiration of a service token.
Generates a new Client Secret for a service token and revokes the old one.
Updates a configured service token.
Domain types
zero_trust.access.users
Methods
Gets a list of users for an account.
Domain types
zero_trust.access.users.active_sessions
Methods
Get an active session for a single user.
Get active sessions for a single user.
zero_trust.access.users.failed_logins
Methods
Get all failed login attempts for a single user.
zero_trust.access.users.last_seen_identity
Methods
Get last seen identity for a single user.
Domain types
Connectivity Settings
zero_trust.connectivity_settings
Methods
Updates the Zero Trust Connectivity Settings for the given account.
Gets the Zero Trust Connectivity Settings for the given account.
Devices
zero_trust.devices
Methods
Fetches details for a single device.
Fetches a list of enrolled devices.
Domain types
zero_trust.devices.dex_tests
Methods
Create a DEX test.
Delete a Device DEX test. Returns the remaining device dex tests for the account.
Fetch a single DEX test.
Fetch all DEX tests.
Update a DEX test.
Domain types
The configuration object which contains the details for the WARP client to conduct the test.
zero_trust.devices.fleet_status
Methods
Get the live status of a latest device given device_id from the device_state table
zero_trust.devices.networks
Methods
Creates a new device managed network.
Deletes a device managed network and fetches a list of the remaining device managed networks for an account.
Fetches details for a single managed network.
Fetches a list of managed networks for an account.
Updates a configured device managed network.
Domain types
zero_trust.devices.override_codes
Methods
Fetches a one-time use admin override code for a device. This relies on the Admin Override setting being enabled in your device configuration.
zero_trust.devices.policies
Domain types
zero_trust.devices.policies.custom
Methods
Creates a device settings profile to be applied to certain devices matching the criteria.
Deletes a device settings profile and fetches a list of the remaining profiles for an account.
Updates a configured device settings profile.
Fetches a device settings profile by ID.
Fetches a list of the device settings profiles for an account.
zero_trust.devices.policies.custom.excludes
Methods
Fetches the list of routes excluded from the WARP client's tunnel for a specific device settings profile.
Sets the list of routes excluded from the WARP client's tunnel for a specific device settings profile.
zero_trust.devices.policies.custom.fallback_domains
Methods
Fetches the list of domains to bypass Gateway DNS resolution from a specified device settings profile. These domains will use the specified local DNS resolver instead.
Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. This will only apply to the specified device settings profile.
zero_trust.devices.policies.custom.includes
Methods
Fetches the list of routes included in the WARP client's tunnel for a specific device settings profile.
Sets the list of routes included in the WARP client's tunnel for a specific device settings profile.
zero_trust.devices.policies.default
Methods
Updates the default device settings profile for an account.
Fetches the default device settings profile for an account.
zero_trust.devices.policies.default.certificates
Methods
Enable Zero Trust Clients to provision a certificate, containing a x509 subject, and referenced by Access device posture policies when the client visits MTLS protected domains. This facilitates device posture without a WARP session.
Fetches device certificate provisioning
zero_trust.devices.policies.default.excludes
Methods
Fetches the list of routes excluded from the WARP client's tunnel.
Sets the list of routes excluded from the WARP client's tunnel.
zero_trust.devices.policies.default.fallback_domains
Methods
Fetches a list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead.
Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead.
zero_trust.devices.policies.default.includes
Methods
Fetches the list of routes included in the WARP client's tunnel.
Sets the list of routes included in the WARP client's tunnel.
zero_trust.devices.posture
Methods
Creates a new device posture rule.
Deletes a device posture rule.
Fetches a single device posture rule.
Fetches device posture rules for a Zero Trust account.
Updates a device posture rule.
Domain types
The value to be checked against.
zero_trust.devices.posture.integrations
Methods
Create a new device posture integration.
Delete a configured device posture integration.
Updates a configured device posture integration.
Fetches details for a single device posture integration.
Fetches the list of device posture integrations for an account.
Domain types
zero_trust.devices.revoke
Methods
Revokes a list of devices.
zero_trust.devices.settings
Methods
Patches the current device settings for a Zero Trust account.
Describes the current device settings for a Zero Trust account.
Updates the current device settings for a Zero Trust account.
Domain types
zero_trust.devices.unrevoke
Methods
Unrevokes a list of devices.
DEX
zero_trust.dex
Domain types
zero_trust.dex.colos
Methods
List Cloudflare colos that account's devices were connected to during a time period, sorted by usage starting from the most used colo. Colos without traffic are also returned and sorted alphabetically.
zero_trust.dex.commands
Methods
Initiate commands for up to 10 devices per account
Retrieves a paginated list of commands issued to devices under the specified account, optionally filtered by time range, device, or other parameters
zero_trust.dex.commands.devices
Methods
List devices with WARP client support for remote captures which have been connected in the last 1 hour.
zero_trust.dex.commands.downloads
Methods
Downloads artifacts for an executed command. Bulk downloads are not supported
zero_trust.dex.commands.quota
Methods
Retrieves the current quota usage and limits for device commands within a specific account, including the time when the quota will reset
zero_trust.dex.fleet_status
Methods
List details for live (up to 60 minutes) devices using WARP
List details for devices using WARP, up to 7 days
Domain types
zero_trust.dex.fleet_status.devices
Methods
List details for devices using WARP
zero_trust.dex.http_tests
Methods
Get test details and aggregate performance metrics for an http test for a given time period between 1 hour and 7 days.
Domain types
zero_trust.dex.http_tests.percentiles
Methods
Get percentiles for an http test for a given time period between 1 hour and 7 days.
Domain types
zero_trust.dex.tests
Methods
List DEX tests with overview metrics
Domain types
zero_trust.dex.tests.unique_devices
Methods
Returns unique count of devices that have run synthetic application monitoring tests in the past 7 days.
Domain types
zero_trust.dex.traceroute_test_results
zero_trust.dex.traceroute_test_results.network_path
Methods
Get a breakdown of hops and performance metrics for a specific traceroute test run
zero_trust.dex.traceroute_tests
Methods
Get test details and aggregate performance metrics for an traceroute test for a given time period between 1 hour and 7 days.
Get a breakdown of metrics by hop for individual traceroute test runs
Get percentiles for a traceroute test for a given time period between 1 hour and 7 days.
Domain types
DLP
zero_trust.dlp
zero_trust.dlp.datasets
Methods
Create a new dataset
This deletes all versions of the dataset.
Fetch a specific dataset
Fetch all datasets
Update details about a dataset
Domain types
zero_trust.dlp.datasets.upload
Methods
Prepare to upload a new version of a dataset
This is used for single-column EDMv1 and Custom Word Lists. The EDM format can only be created in the Cloudflare dashboard. For other clients, this operation can only be used for non-secret Custom Word Lists. The body must be a UTF-8 encoded, newline (NL or CRNL) separated list of words to be matched.
Domain types
zero_trust.dlp.datasets.versions
Methods
This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. The columns in the response appear in the same order as in the request.
zero_trust.dlp.datasets.versions.entries
Methods
This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard.
zero_trust.dlp.email
zero_trust.dlp.email.account_mapping
Methods
Create mapping
Get mapping
zero_trust.dlp.email.rules
Methods
Update email scanner rule priorities
Create email scanner rule
Delete email scanner rule
Get an email scanner rule
Lists all email scanner rules for an account.
Update email scanner rule
zero_trust.dlp.entries
Methods
Creates a DLP custom entry.
Deletes a DLP custom entry.
Fetches a DLP entry by ID